Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965431AbcCJGrT (ORCPT ); Thu, 10 Mar 2016 01:47:19 -0500 Received: from mail-ob0-f182.google.com ([209.85.214.182]:36108 "EHLO mail-ob0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965356AbcCJGrH (ORCPT ); Thu, 10 Mar 2016 01:47:07 -0500 MIME-Version: 1.0 In-Reply-To: References: <1457470075-4586-1-git-send-email-sbauer@eng.utah.edu> <1457470075-4586-3-git-send-email-sbauer@eng.utah.edu> <20160308210013.15ee166d@lxorguk.ukuu.org.uk> From: Andy Lutomirski Date: Wed, 9 Mar 2016 22:46:46 -0800 Message-ID: Subject: Re: [kernel-hardening] Re: [PATCH v3 3/3] SROP mitigation: Add sysctl to disable SROP protection. To: Kees Cook Cc: "kernel-hardening@lists.openwall.com" , Scott Bauer , LKML , "x86@kernel.org" , wmealing@redhat.com, Andi Kleen , Abhiram Balasubramanian Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 989 Lines: 25 On Wed, Mar 9, 2016 at 10:36 PM, Kees Cook wrote: > On Tue, Mar 8, 2016 at 1:00 PM, One Thousand Gnomes > wrote: >> On Tue, 8 Mar 2016 13:47:55 -0700 >> Scott Bauer wrote: >> >>> This patch adds a sysctl argument to disable SROP protection. >> >> Shouldn't it be a sysctl to enable it irrevocably, otherwise if I have DAC >> capability I can turn off SROP and attack something to get to higher >> capability levels ? >> >> (The way almost all distros are set up its kind of academic but for a >> properly secured system it might matter). > > Perhaps use proc_dointvec_minmax_sysadmin instead to tie changes > strictly to CAP_SYS_ADMIN? I don't see why this needs to be irrevocable. If you have CAP_SYS_ADMIN or write access to /proc or whatever, you can do much worse things than turning off a user-level mitigation. For example, you can ptrace things. Also, you're already root, so what's the point? --Andy